[j-nsp] out-bound anti-spoofing rules when using community-based routing
Mark Tinka
mtinka at globaltransit.net
Thu Jan 24 20:09:02 EST 2008
On Friday 25 January 2008 03:00, Peter E. Fry wrote:
> I'm curious myself...
> I guess URPF doesn't fit your needs? I'm not sure how
> a community match would differ a whole lot. Sadly
> enough, the best method I can think of offhand would be
> to run two filters -- one general and one specific to the
> customer link.
This is how we do it as well.
Have a general outbound prefix-list to BGP customers that's
secure enough, but if a customer needs to use your
automated blackholing BGP community, you may build a more
specific one for them that includes only their prefixes, so
you don't have your "evil" customers potentially
blackholing routes they do not own.
The configuration could grow, but perhaps automating this
process (via RPSL, and making sure your customers "talk" to
at least one RR) is one way forward.
Cheers,
Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/juniper-nsp/attachments/20080125/f0de8333/attachment.bin
More information about the juniper-nsp
mailing list